Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Installing *Ubuntu with Full Disk Encryption
Options
-
28-06-2014 5:01pm#1
Comments
-
-
-
-
-
Son_of_Belial wrote: »Full disk encryption is important especially if (like me) you tend to carry a laptop around with you from time to time. What happens if it gets lost? Here's how to implement full disk encryption so that if you do lose it or it gets stolen your information and data are safe.
There weren't very many clear tutorials online when I first wanted to do this and it took me hours to come up with a way to do it and trawling forums. Here is my complete solution.
INSTALL *UBUNTU ON FULL-DISK ENCRYPTION, LUKS ENCRYPTING MULTIPLE PARTITIONS WITH SINGLE PASS PHRASE
ASSUMPTIONS:
* You are comfortable installing *Ubuntu
* You know how to partition your hard drive using Gparted, fdisk, cfdisk etc.
FIRST STEPS:
There are a number of ways to do this - below is simply how I did this and it works perfectly.
1. Download a L/Ubuntu image and boot into it.
2. Partition your hard drive into 4 partitions. Sizes you want is up to you and your system.
/dev/sda1 is your boot partition
/dev/sda2 is your home partition
/dev/sda3 is your root partition
/dev/sda4 is your swap partition
3. Open a root terminal (sudo -s) and run the following:apt-get -y update apt-get -y install lvm2 mkfs.ext2 /dev/sda1 cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda2 cryptsetup luksOpen /dev/sda2 crypthome mkfs.ext4 /dev/mapper/crypthome cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda3 cryptsetup luksOpen /dev/sda3 cryptroot mkfs.ext4 /dev/mapper/cryptroot cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda4 cryptsetup luksOpen /dev/sda4 cryptswap mkswap /dev/mapper/cryptswap
4. Now install Lubuntu onto the system. At the prompt, select "Do something else" when asked and select partitions manually
/dev/sda1 as /boot
/dev/mapper/cryptroot as /
/dev/mapper/crypthome as /home
/dev/mapper/cryptswap as swap
Go through the installation as normal but DO NOT REBOOT THE LIVE IMAGE ONCE IT'S FINISHED INSTALLING!!!!! Click "Continue Testing".
5. Go back to your root terminal (Terminal 1) and do the following:cd /mnt mkdir root mount /dev/mapper/cryptroot root mount /dev/sda1 root/boot chroot root mount -t proc proc /proc mount -t sysfs sys /sys mount -t devpts devpts /dev/pts
6. Open a second root terminal (Terminal 2) and run this to allow internet access to your chrooted install:cp -v /etc/resolv.conf /mnt/root/etc/resolv.conf
7. Go back to Terminal 1 (chrooted system) and run:apt-get -y update apt-get -y install cryptsetup lvm2
8. Now we're going to make a keyfile to use as an allowed unlock method for our home and swap partitions.
In Terminal 2 run:dd if=/dev/urandom of=/mnt/root/root/keyfile bs=1024 count=4 chmod 0400 /mnt/root/root/keyfile cryptsetup luksAddKey /dev/sda2 /mnt/root/root/keyfile cryptsetup luksAddKey /dev/sda4 /mnt/root/root/keyfile
9. Now we need to make sure the system can boot and open these partitions on startup. We need to get the device IDs so still in terminal 2 run:blkid
Make a note of the UUIDs for all of the partitions.
The output should come out like this:/dev/sda1: UUID="3b76fea5-30ea-43e3-bacb-5e4f2753f5a2" TYPE="ext2" /dev/sda2: UUID="a7533aea-981d-4d48-8bb4-4d27ec17a146" TYPE="crypto_LUKS" /dev/sda3: UUID="cf96816a-dd58-4d7e-a9c4-674f9d3608da" TYPE="crypto_LUKS" /dev/sda4: UUID="84a9581b-09b9-4d92-9b8d-bd563bbbb730" TYPE="crypto_LUKS" /dev/mapper/cryptroot: UUID="b9f09d65-e165-4061-9531-6636ad3818ab" TYPE="ext4" /dev/mapper/crypthome: UUID="76a39067-4887-4542-887d-e652c69ec313" TYPE="ext4" /dev/mapper/cryptswap: UUID="392396c9-2d9f-4187-b8ee-ae95a98426fb" TYPE="swap"
10. Go back to Terminal 1 and type:nano /etc/crypttab
This file tells the system what partitions to decrypt on startup and how, so using the blkid output for reference and what goes in here you should be able to put in your own values:cryptroot UUID=cf96816a-dd58-4d7e-a9c4-674f9d3608da none luks # UUID for /dev/sda3 as root crypthome UUID=a7533aea-981d-4d48-8bb4-4d27ec17a146 /root/keyfile luks # UUID for /dev/sda2 as home cryptswap UUID=84a9581b-09b9-4d92-9b8d-bd563bbbb730 /root/keyfile luks # UUID for /dev/sda4 as swap
As you can see, the keyfile generated in Step 8 is used to unlock the crypthome and cryptswap partitions
11. Now, still in Terminal 1 enter the following:update-initramfs -u shutdown now -r
...And voilà! The system should restart and present you with a screen asking you to enter your password which unlocks the whole system. If it tells you that the /home or /swap partition cannot be found you just need to wait a few seconds and it should then be opened with the keyfile.
We're passed the time limit on editing posts by now but I'd like to add an OPTIONAL step to this post which you can insert between Steps 10 and 11. Honestly this is only useful for the TRULY paranoid or perhaps activists/journalists who may be forced to hand over USBs / Laptops to authorities etc. at borders etc. The following gives you the ability to enter a "Nuke" password at the boot which will wipe cryptographic keys from the system and render the system basically bricked - not even you will be able to access the system again unless you restore the LUKS Headers (which you will have backed up, encrypted and saved ELSEWHERE such as on Google Drive, Dropbox, an FTP Server an SD Card in a camera etc.)
The idea is that if/when subjected to rubber-hose cryptanalysis and you fold, the password you give up is this "Nuke" password rather than the real one. After that authorities, "3-Letter Agencies" etc. can do what they like to you - there isn't anyone on the planet who will be able to access the data again (unless you can get your hands on the Header Backups - which of course you will deny having kept and to which you will not have easy access).
Kali Linux has a patch in its version of cryptsetup which essentially allows you to "Nuke" your installation or any other LUKS encrypted volume. It is authored by Adam Conrad (GPG FPR: 8BC6 0080 5AAC 660F EB4D 1983 8340 1A30 B1CD E58F) of Canonical.
So - from Terminal 1 (Your chrooted install) run the following:apt-get -y install libgcrypt11-dev libdevmapper-dev libpopt-dev uuid-dev libtool automake autopoint debhelper xsltproc docbook-xsl dpkg-dev git apt-get -y purge cryptsetup && sync && apt-get -y autoremove
A warning might pop up - go ahead and tab to YES and hit ENTER
AGAIN IT IS VERY IMPORTANT THAT THE SYSTEM DOES NOT POWER OFF OR OTHERWISE UNTIL THE END!!apt-get -y source cryptsetup
At the time of writing, the current version of cryptsetup is 1.6.1 so after this operation there should be a directory named "cryptsetup-1.6.1". Take note of that.
Now we need to download and install the patch. To do this run:git clone https://github.com/offensive-security/cryptsetup-nuke-keys
There should now be a directory named cryptsetup-nuke-keys in the present directory. Now, cd into the cryptsetup directory:cd cryptsetup-1.6.1
...and apply the patch:patch -p1 < ../cryptsetup-nuke-keys/cryptsetup_1.6.1+nuke_keys.diff
Now you need to build the packages so run:dpkg-buildpackage -b -uc
Once this has completed successfully, you can come back out of this directory with a:cd ..
There should be two cryptsetup*.deb and two libcryptsetup*.deb packages in here now that will have to be installed. To do this run:dpkg -i libcryptsetup*.deb dpkg -i cryptsetup*.deb
Now your patched cryptsetup is installed. You can verify this by running:cryptsetup --help
You should see a "luksAddNuke" command in there.
USING THE PATCH:
From this point you can go ahead to Step 11 and finish the install. However to use the patch, here's how:
First we want to remove ANY passwords we entered in Step 3 from both the HOME and SWAP partitions. These are opened by the keyfile which is in the root partition. The reason for this is that up until now, it was possible to open crypthome and cryptswap independently of cryptroot via password. This ensures that the only way these partitions can be opened is via the keyfile in the cryptroot partition which itself can only be accessed via password. Basically no access to cryptroot, no access to ANYTHING. So assuming we went with the partitioning/naming convention in Step 3 we're going to remove the passwords from HOME and SWAP respectively, remembering to use the same passwords you used in Step 3:cryptsetup luksRemoveKey /dev/sda2 cryptsetup luksRemoveKey /dev/sda4
Now we need to add the Nuke Password to the CRYPTROOT partition. It will ask for two passwords - the first one will be your password you entered in Step 3 to encrypt the partition. The 2nd will be your Nuke Password:cryptsetup luksAddNuke /dev/sda3
Done!!!!
Finally, we're going to backup and encrypt the LUKS headers (using OpenSSL. Please use a DIFFERENT password to the partition encryption password in Step 3 and the Nuke password you used above). Enter your encryption password at the prompts. You're going to want to remove these when done completely off the system. After you've run the code below, if you jump into Terminal 2, you'll find the encrypted Header Backups in /mnt/root/root:cryptsetup luksHeaderBackup --header-backup-file /root/CRYPTROOT_header.bak /dev/sda3 cryptsetup luksHeaderBackup --header-backup-file /root/CRYPTHOME_header.bak /dev/sda2 cryptsetup luksHeaderBackup --header-backup-file /root/CRYPTSWAP_header.bak /dev/sda4 apt-get -y install openssl openssl enc -aes-256-ctr -in /root/CRYPTROOT_header.bak -out /root/CRYPTROOT_header.bak.enc openssl enc -aes-256-ctr -in /root/CRYPTHOME_header.bak -out /root/CRYPTHOME_header.bak.enc openssl enc -aes-256-ctr -in /root/CRYPTSWAP_header.bak -out /root/CRYPTSWAP_header.bak.enc
To move the encrypted backups to a USB - /PATH/TO/USB for example, jump over to Terminal 2 for a moment and run:cp -v /mnt/root/root/CRYPT*.bak.enc /PATH/TO/USB
Now back in Terminal 1 we need to securely delete the backups so run:shred -uvfz -n 10 /root/CRYPT*
You can now continue to Step 11...............
SO HOW DO I USE THE WHOLE THING?
NUKE SYSTEM:
When your system boots and it asks for a password, instead of typing in the decryption password, you simply enter the nuke password. That will work and now you have a bricked system, inaccessible to anyone, even you.
RESTORE SYSTEM:
OK, so now you're safe and you want to restore your system. How do you do that?
a) Boot a live version of *Ubuntu from a CD/DVD or USB on the system
b) Open up a terminal and enter the following:sudo -s apt-get -y update apt-get -y install cryptsetup lvm2 openssl openssl enc -d -aes-256-ctr -in /PATH/TO/USB/CRYPTROOT_header.bak.enc -out CRYPTROOT_header.bak openssl enc -d -aes-256-ctr -in /PATH/TO/USB/CRYPTHOME_header.bak.enc -out CRYPTHOME_header.bak openssl enc -d -aes-256-ctr -in /PATH/TO/USB/CRYPTSWAP_header.bak.enc -out CRYPTSWAP_header.bak
c) Now you're simply going to restore the headers to the system and reboot...cryptsetup luksHeaderRestore --header-backup-file CRYPTROOT_header.bak /dev/sda3 cryptsetup luksHeaderRestore --header-backup-file CRYPTHOME_header.bak /dev/sda2 cryptsetup luksHeaderRestore --header-backup-file CRYPTSWAP_header.bak /dev/sda4 sync shutdown now -r
d) If everything went well your system should restart and boot up with its usual password!!0 -
Advertisement
-
-
-
Son_of_Belial wrote: »I believe the original TrueCrypt had the same functionality
Yeah, I didn't do a very good job of describing that podcast. I never used TrueCrypt myself but I had assumed the functionality was from it but the guy describing it was the developer who'd pick it up when it was abandoned. He only changed the name (to Veracrypt) because TrueCrypt was trademarked. But yeah I wasn't very clear. Actually he credits the original unknown developers with all the (hard) work but he does say he examined the code carefully looking for anything that might be a backdoor - this is what many worried about when it was dropped.Son_of_Belial wrote: »It's not exactly the "wrong" password, it's simply another password to open an alternative volume.
This is exactly what I do for passwords in general but I gotta admit I never really researched the security of keepass. Actually I don't use a service! I have a standalone app installed.Son_of_Belial wrote: »For losing keys etc., I'd recommend using a service such as KeePassX to keep your passwords
But, if the whole system was encrypted, I was imagining that I'd need to enter a password on boot. In which, case I would not be able to use keepass until I had booted. A chicken & egg scenario.
I could use a master password I could remember but that would mean it's not that strong which kinda defeats the purpose. 0 -
-
-
Advertisement
Advertisement